search

wazuh / wazuh-kubernetes

Wazuh - Wazuh Kubernetes
https://wazuh.com/
GNU General Public License v2.0
246 stars 151 forks source link

API is failing with 400 code #629

Open Thorgrym opened 5 months ago

Thorgrym commented 5 months ago

Hello, I have the exact same issue that is in this google groups from 2 years ago : https://groups.google.com/g/wazuh/c/-FTAUtq6-j8

When I enable the Vulnerability detector in the ossec.conf of my wazuh manager master sometimes the request to the API with an "unknown_user" and then start failing with error 400. The only way to make wazuh work again after is restarting the wazuh manager.

Here are the api logs of the manager : 

2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.023s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/wazuh-manager-master/configuration/request/remote" with parameters {} and body {} done in 0.098s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/wazuh-manager-master/configuration/auth/auth" with parameters {} and body {} done in 0.125s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /groups" with parameters {} and body {} done in 0.022s: 200
2024/03/25 11:40:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.017s: 400
2024/03/25 11:40:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.007s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.013s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.007s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.014s: 400
2024/03/25 11:50:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.014s: 400
2024/03/25 11:50:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.008s: 400
2024/03/25 11:55:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.010s: 401
2024/03/25 11:55:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 11:55:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.007s: 400
2024/03/25 11:55:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:00:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.007s: 401
2024/03/25 12:00:01 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.006s: 401
2024/03/25 12:00:01 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.009s: 401
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.008s: 400
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.006s: 400
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.006s: 400
2024/03/25 12:05:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.007s: 401
2024/03/25 12:05:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 12:05:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.007s: 400
2024/03/25 12:05:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:10:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.008s: 401
2024/03/25 12:10:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 12:10:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.008s: 400
2024/03/25 12:10:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:15:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.009s: 401

Here is th result of service wazuh-manager status when everything is fine :

wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

And after the API stop responding :

wazuh-clusterd is running...
wazuh-modulesd not running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

We see that modulesd stopped, I also did a status at the moment of the API failure and got that wazuh-modulesd: Process 21214 not used by Wazuh, removing...

Here I can provide the last log in ossec.log just before the crash of the API : 

2024/03/25 12:35:47 rootcheck: INFO: Ending rootcheck scan.
2024/03/25 12:42:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2024/03/25 12:42:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2024/03/25 12:47:13 wazuh-db: ERROR: sqlite3_step(): UNIQUE constraint failed: sca_scan_info.id
2024/03/25 12:51:00 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2024/03/25 12:51:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2024/03/25 12:58:06 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2024/03/25 12:58:06 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
2024/03/25 13:04:09 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Jammy' feed finished successfully.
2024/03/25 13:04:09 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.

Thanks

estefanocreare commented 4 months ago

I'm facing this issue as well.